What is the Data Protection Act 2018?
A look at the UK's national data laws and how GDPR fits into the puzzle
Designed to modernise data protection laws, the Data Protection Act 2018 came into force on 23 May 2018 as the third generation of the UK’s data protection regime. Based on the EU’s General Data Protection Regulation (GDPR), the Data Protection Act 2018 is designed to take into account advancements in the way data is used in the modern age and the way that personal information is collected by online platforms for various legitimate and illegitimate uses.
Replacing the Data Protection Act 1998, the current regulations devised a framework outlining how data can be lawfully collected, processed and used in the UK, and the measures that organisations and individuals must take to be compliant. This law covers a variety of policies, although at the heart of the legislation is the intent to empower individuals with rights and protections, giving them more tools to protect their personal information from being misused. The law also offers guidance for punitory measures that regulators can take if they find organisations or individuals to have violated these rights.
The DPA 2018 supplements the GDPR too, ensuring data adequacy with the EU following Brexit by extending into areas not covered by the EU regulations. The DPA 2018 didn’t so much implement GDPR into UK law as it implemented the EU Law Enforcement Directive, which offers data protection rights whenever data is used for law enforcement purposes.
Why do we need DPA 2018 when we have GDPR?
There are a few minor differences between the EU’s GDPR and the DPA 2018, despite the fact they largely mirror one another.
GDPR applied to all EU member states automatically when it came into force, but gave room for individual nations to create their own provisions that extend the reach of GDPR. This allowed member states to implement the data protection laws more smoothly in a way that complemented existing regulations.
Most of the UK’s data processing was governed by GDPR until Brexit, although a handful of regulatory issues were specific to the UK and only processed by domestic laws. Examples include immigration issues or the processing of FOI data. The DPA 2018 also includes a handful of national security exemptions.
For example, under the DPA 2018, the Home Office, and other organisations that involve the processing of immigration data, are allowed to reject access requests to personal data if the organisation believes such action could prejudice “effective immigration control”.
However, this exemption has been challenged by human and digital rights campaigners, with the Open Rights Group and the3million launching a joint legal challenge in January 2019. That challenge, which argued that the exemption relating to immigration data was unlawful, was ultimately rejected by the High Court in October.
There are also a number of provisions under GDPR that are not applied in UK law, which are otherwise set out under the DPA 2018. For example, the legal age for providing consent to process personal data is 16 as a default under GDPR, whereas in the UK this is set at 13. Under the DPA 2018, UK organisations are also allowed to perform a degree of automatic decision making, something which is forbidden under GDPR.
Despite having voted to leave the EU, the UK was bound to any EU legislation enacted until 31 January 2020, including GDPR - this will now be signed into UK law as part of the European Union (Withdrawal) Act 2018.
The DPA 2018 is also required to ensure the smooth flow of data from the EU to the UK now that we have left the bloc. As part of the coming negotiations, the UK will be seeking an 'adequacy agreement', a formal recognition from the EU that as a 'third country' the UK has robust enough data protection laws in place to provide a similar level of data protection to users as that provided under GDPR. Although the UK has said it will authorise the transmission of data to the EU automatically, without an adequacy agreement the UK may find it difficult to receive data legally. While there's every indication that this will happen, the process can only start once the UK leaves the EU, and it's impossible to say how long this negotiation could take.
What's more, any organisation based in the UK (or anywhere else for that matter) that has customers who are European residents will be required to adhere to GDPR rules regardless of whether the UK is in or out of the EU. It makes sense, therefore, to have domestic law that largely mirrors GDPR.
For more information on the various ways in which Brexit may affect GDPR, head to our in-depth guide.
Definition of personal data under DPA 2018
Any information that relates to an identified or an identifiable living person, in that an individual can be identified directly or indirectly through this, is classified as personal data. The information that falls under this category includes names, any identification numbers, location data, online identifiers or any one or more pieces of information specific to them. These would including any information that’s physical physiological, mental, genetic, economic, cultural, or any other data that might be associated with their social identity.
Personal data, in effect, comprises anything that may be used to identify an individual, and in modern times has even extended to include details such a person’s IP address.
What has changed since the DPA 1998
The latest piece of legislation is designed to bring data protection to modern standards, in light of the growth of massive internet companies as well as the way data is collected, processed and monetised in gigantic quantities. The DPA 2018 introduced far more protections for citizens and improved the protections and rights as initially outlined in the previous legislation
Under the new regime, organisations are required to be more transparent about how and why they handle, collect and process the data they do. The collation of data must also be for explicitly stated and legitimate reasons.
There are a number of conditions that businesses must also bear in mind when processing data, including the consent of the data subject, legal obligation, the public interest, vital interest, legitimate interests, among others. One of the greatest changes has been in the way consent is seen in the eyes of the law, with the threshold for consent raised significantly. Under the DPA 2018, user consent must be explicit for the processing of data in relation to specifically outlined purposes, as opposed to blanket consent, as was sought previously.
Greater requirements have also been put on organisations to keep data accurate and up-to-date, but also to immediately remove anything from systems that is inaccurate, on request when such issues are flagged.
Processing data, meanwhile, is now limited entirely to the specific purposes for which it was collected, which differs from how organisations interpreted provisions in the 1998 DPA. Previously, companies could process data in any which way provided it wasn't "excessive" to the original purpose.
Structure of the DPA 2018
The DPA 2018 enforces four distinct data protection frameworks, with each relating to a specific category of data processing.
- Within the scope of GDPR
- Outside the scope of GDPR
- By competent authorities for law enforcement purposes
- By the intelligence services
The act is also split into seven parts, each containing multiple schedules. Following an introductory section and key terms, Part 2 covers various aspects of general processing of personal data, Part 3 covers law enforcement, Part 4 relates to intelligence service processing, Part 5 covers the powers of the Information Commissioner's Office (ICO), Part 6 outlines the scope of enforcement powers, and Part 7 covers additional provisions that do not fall under the previous categories.
Special provisions are set out for law enforcement processing, including the processing of personal data by the police, prosecutors and similar criminal justice bodies. Similar provisions exist for processing by intelligence services, which aim to bring UK standards in line with international standards. The frameworks also ensure the smooth flow of data internationally for the purpose of tackling crime, while ensuring data protection is upheld.
Penalties for a breach of DPA 2018
Under the DPA 2018, failing to report a data breach within a 72 hour period can result in a fine of 2% of a company's annual global turnover, or €10 million (£9 million), whichever is highest. For the data breach itself, the maximum fine doubles to 4% or €20 million (£17 million).
Consumer choice and the payment experience
A software provider's guide to getting, growing, and keeping customersDownload now
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email securityDownload now
Business in the new economy landscape
How we coped with 2020 and looking ahead to a brighter 2021Download now
How to increase cyber resilience within your organisation
Cyber resilience for dummiesDownload now